Protect Yourself from a Data Security Breach
Do you know where your cell phone is? If it falls in the wrong hands, and unsecured data is breached, you could conceivably be in violation of the Health Insurance Portability and Accountability Act (HIPAA).
The number of health care professionals who store patient data on laptops, USB memory sticks, and other portable electronic devices is growing, but some say data security is not.
Forrester Consulting conducted a study titled “Managing and Securing Mobile Healthcare Data and Devices,” on behalf of Fiberlink, the Blue Bell, Pa.-based developer of cloud-based “Mobility as a Service” (MaaS) solutions. The study found that 95 percent of health care enterprises relied on smartphones for work, making the industry one of the most mobile.
On April 17, 2009 the U.S. Department of Health & Human Services (HHS) issued guidance specifying the technologies and methodologies that render protected health information (PHI) unusable, unreadable or indecipherable to unauthorized individuals for security purposes. This guidance is related to breach notification regulations issued by HHS as they apply to HIPAA-covered entities.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS secretary to post PHI security breaches affecting 500 or more individuals. The current list shows a wide array of security breach methods, from theft or loss of electronic devices to inappropriately discarded paper records.
Covered entities, including health care professional and business associates, can protect themselves from hefty fines by incorporating certain security measures into their daily business practices.
Username and password protection is a simple first step to securing data. This method is certainly not fail-proof, however. Weak passwords—fewer than six characters, based on dictionary words, names and dates—are easily compromised. Security experts recommend eight or more characters that are not common words, names or dates and contain a combination of uppercase and lowercase letters with a few numbers and symbols thrown into the mix.
Data encryption can eliminate the HIPAA obligation to notify patients of a lost or stolen device, but it can be both expensive and difficult to use warns Sentrigo, Inc. The security software maker advises covered entities encrypt only sensitive data that requires it, manage encryption/decryption keys carefully, and change them on a regular basis. “It’s important to combine encryption with other means and procedures, such as activity monitoring, auditing, periodic vulnerability assessments and user authentication,” says Sentrigo.
The Health Information and Management Systems Society (HIMSS) recommends the following security tactics:
- Encryption of all mobile devices
- Thumb drive ban
- Block USB ports on computers
- Purchase software for PDAs and smartphones that, in the event the device is lost or stolen, you can call a number that will automatically erase everything from the device.
- Download a GPS system that can help you locate a lost device.
- Use password protection.
- Don’t set devices down—keep them on your person at all times.